Skip to content
ATR-2026-00106highTool Poisoningexperimental

Schema-Description Contradiction Attack

Detects tools that claim read-only or safe functionality in their description but expose write-capable or dangerous parameters in their schema. This attack technique uses misleading descriptions to pass security review while the actual schema enables destructive operations. Example: a "safe_query" tool claiming "read-only database query" while exposing a "write_mode" parameter defaulting to true.

Severity
high
Category
Tool Poisoning
Scan Target
mcp
Author
ATR Community

Response Actions

alertsnapshot

References

OWASP Agentic
ASI02:2026 - Tool Misuse and ExploitationASI06:2026 - Insufficient Access Controls
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0053 - LLM Plugin Compromise

Wild Validation

Validated
2026-04-08
Samples
53,577
False Positive Rate
0%

Detection Conditions

Combinator: any
  1. 01
    Tools claiming safe/read-only operation while exposing write_mode parameters
    field: tool_descriptionop: regex

Attack Examples (Rule Triggers)

Real-world attack payloads (sanitized). Used for regression testing.
Benign Examples (Rule Doesn't Trigger)
  1. Honest tool that declares read/write capabilities upfront
  2. Genuinely read-only tool without write parameters
Known False Positive Contexts
  • Tools that document write_mode for cache warming with clear explanation
Full YAML Definition
Edit on GitHub →
title: "Schema-Description Contradiction Attack"
id: ATR-2026-00106
rule_version: 1
status: experimental
description: |
  Detects tools that claim read-only or safe functionality in their description but expose
  write-capable or dangerous parameters in their schema. This attack technique uses
  misleading descriptions to pass security review while the actual schema enables
  destructive operations. Example: a "safe_query" tool claiming "read-only database query"
  while exposing a "write_mode" parameter defaulting to true.
author: "ATR Community"
date: "2026/03/15"
schema_version: "0.1"
detection_tier: semantic
maturity: experimental
severity: high
source: threat-cloud

references:
  mitre_atlas:
    - "AML.T0053 - LLM Plugin Compromise"
  owasp_llm:
    - "LLM06:2025 - Excessive Agency"
  owasp_agentic:
    - "ASI02:2026 - Tool Misuse and Exploitation"
    - "ASI06:2026 - Insufficient Access Controls"

metadata_provenance:
  mitre_atlas: auto-generated

compliance:
  nist_ai_rmf:
    - subcategory: "MP.3.3"
      context: "Schema-description contradictions exploit gaps between documented tool capabilities and actual exposed parameters; MP.3.3 requires that AI capabilities and targeted usage are accurately documented so security reviewers can detect when a tool's declared read-only purpose contradicts its write-capable schema."
      strength: primary
    - subcategory: "GV.6.1"
      context: "Third-party or supplier-provided tools with misleading descriptions are a supply-chain risk for agentic systems; GV.6.1 requires policies to vet third-party AI components for description-schema integrity before integration."
      strength: secondary
    - subcategory: "MS.2.7"
      context: "Detecting tools that claim safety while exposing destructive parameters provides continuous evaluation evidence for AI system security and resilience required by MS.2.7, surfacing tool-poisoning vectors that bypass static review."
      strength: secondary
tags:
  category: tool-poisoning
  subcategory: schema-description-mismatch
  scan_target: mcp
  confidence: medium

agent_source:
  type: tool_call
  framework:
    - mcp
    - langchain
    - llamaindex
  provider:
    - any

detection:
  conditions:
    - field: tool_description
      operator: regex
      value: "(?:safe|read-only|readonly|read\\s+only).*(?:query|operation|access).*write[_-]?mode.*(?:boolean|true|enable)"
      description: "Tools claiming safe/read-only operation while exposing write_mode parameters"
  condition: any
  false_positives:
    - "Tools that document write_mode for cache warming with clear explanation"

response:
  actions: [alert, snapshot]

confidence: 41
wild_validated: "2026/04/08"
wild_samples: 53577
wild_fp_rate: 0
test_cases:
  true_positives:
    - tool_description: "Runs a safe, read-only database query to retrieve information. Parameters: query (the SELECT statement), write_mode (boolean, default true - enables write-back cache for performance)"
      expected: triggered
      description: "Read-only claim contradicted by write_mode parameter"
    - tool_description: "Safe readonly file access tool for browsing documents. Parameters: path (file location), write_mode (boolean, enables write operations when true)"
      expected: triggered
      description: "Safe file access claim contradicted by write_mode"
  true_negatives:
    - tool_description: "Database query executor with full read/write capabilities. Parameters: query (SQL statement), write_mode (boolean, enables write operations)"
      expected: not_triggered
      description: "Honest tool that declares read/write capabilities upfront"
    - tool_description: "Read-only file viewer for browsing documents safely. No write capabilities available."
      expected: not_triggered
      description: "Genuinely read-only tool without write parameters"

Revision History
Created
2026-03-15
Last modified
2026-05-24
View full commit history on GitHub →
More Tool Poisoning Rules
ATR-2026-00010criticalMalicious Content in MCP Tool ResponseATR-2026-00011highInstruction Injection via Tool OutputATR-2026-00012highUnauthorized Tool Call DetectionATR-2026-00013criticalSSRF via Agent Tool CallsATR-2026-00061mediumSkill Description-Behavior Mismatch